Multiple vulnerabilities in Mozilla Firefox
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 17 |
| CVE-ID | CVE-2024-6600 CVE-2024-6601 CVE-2024-6602 CVE-2024-6603 CVE-2024-6604 CVE-2024-6614 CVE-2024-6609 CVE-2024-6606 CVE-2024-6605 CVE-2024-6615 CVE-2024-6613 CVE-2024-6612 CVE-2024-6607 CVE-2024-6610 CVE-2024-6611 CVE-2024-6608 CVE-2024-7652 |
| CWE-ID | CWE-119 CWE-362 CWE-835 CWE-415 CWE-125 CWE-357 CWE-254 CWE-447 CWE-200 CWE-843 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Firefox ESR Client/Desktop applications / Web browsers Mozilla Firefox Client/Desktop applications / Web browsers Firefox for Android Mobile applications / Apps for mobile phones |
| Vendor | Mozilla |
Security Bulletin
This security bulletin contains information about 17 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU93894
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6600
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in WebGL API. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Note, the vulnerability affects Firefox installations on macOS only.
Install updates from vendor's website.
Vulnerable software versionsFirefox ESR: 102.0 - 115.12.0
Mozilla Firefox: 100.0 - 127.0.2
CPE2.3- cpe:2.3:a:mozilla:firefox_esr:115.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0:*:*:*:*:*:*:*
http://www.mozilla.org/en-US/security/advisories/mfsa2024-30/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-29/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Race condition
EUVDB-ID: #VU93895
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6601
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to a race condition in permission assignment. A remote attacker can trick the victim to visit a specially crafted website, bypass cross-origin container obtaining permissions of the top-level origin and gain access to sensitive information.
Install updates from vendor's website.
Vulnerable software versionsFirefox ESR: 102.0 - 115.12.0
Mozilla Firefox: 100.0 - 127.0.2
Firefox for Android: 100.1.0 - 127.0
CPE2.3- cpe:2.3:a:mozilla:firefox_esr:115.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:126.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:124.2.0:*:*:*:*:*:*:*
http://www.mozilla.org/en-US/security/advisories/mfsa2024-30/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-29/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Buffer overflow
EUVDB-ID: #VU93896
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6602
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in NSS. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox ESR: 102.0 - 115.12.0
Mozilla Firefox: 100.0 - 127.0.2
Firefox for Android: 100.1.0 - 127.0
CPE2.3- cpe:2.3:a:mozilla:firefox_esr:115.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:126.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:124.2.0:*:*:*:*:*:*:*
http://www.mozilla.org/en-US/security/advisories/mfsa2024-30/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-29/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Buffer overflow
EUVDB-ID: #VU93897
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6603
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in thread creation. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and crash the browser.
Install updates from vendor's website.
Vulnerable software versionsFirefox ESR: 102.0 - 115.12.0
Mozilla Firefox: 100.0 - 127.0.2
Firefox for Android: 100.1.0 - 127.0
CPE2.3- cpe:2.3:a:mozilla:firefox_esr:115.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:126.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:124.2.0:*:*:*:*:*:*:*
http://www.mozilla.org/en-US/security/advisories/mfsa2024-30/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-29/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Buffer overflow
EUVDB-ID: #VU93898
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6604
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox ESR: 102.0 - 115.12.0
Mozilla Firefox: 100.0 - 127.0.2
Firefox for Android: 100.1.0 - 127.0
CPE2.3- cpe:2.3:a:mozilla:firefox_esr:115.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:126.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:124.2.0:*:*:*:*:*:*:*
http://www.mozilla.org/en-US/security/advisories/mfsa2024-30/
http://www.mozilla.org/en-US/security/advisories/mfsa2024-29/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Infinite loop
EUVDB-ID: #VU94627
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6614
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to alter trace data.
The vulnerability exists due to infinite loop. The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 120.0 - 127.0
Mozilla Firefox: 120.0 - 127.0.2
CPE2.3- cpe:2.3:a:mozilla:firefox_for_android:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:126.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:124.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0:*:*:*:*:*:*:*
http://www.mozilla.org/en-US/security/advisories/mfsa2024-29/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Double free
EUVDB-ID: #VU94622
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6609
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in NSS. A remote attacker can force the browser to free an elliptic curve key which was never allocated and crash the browser.
Install updates from vendor's website.
Vulnerable software versionsFirefox for Android: 120.0 - 127.0
Mozilla Firefox: 120.0 - 127.0.2
CPE2.3- cpe:2.3:a:mozilla:firefox_for_android:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:126.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:124.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0:*:*:*:*:*:*:*
http://www.mozilla.org/en-US/security/advisories/mfsa2024-29/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Out-of-bounds read
EUVDB-ID: #VU94619
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6606
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in clipboard component. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 120.0 - 127.0
Mozilla Firefox: 120.0 - 127.0.2
CPE2.3- cpe:2.3:a:mozilla:firefox_for_android:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:126.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:124.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0:*:*:*:*:*:*:*
http://www.mozilla.org/en-US/security/advisories/mfsa2024-29/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU94618
Risk: Medium
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6605
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform tapjacking attacks.
The vulnerability exists due to missing activation delay when interacting with permission prompts. A remote attacker can perform tapjacking attacks.
Install updates from vendor's website.
Vulnerable software versionsFirefox for Android: 100.1.0 - 127.0
CPE2.3- cpe:2.3:a:mozilla:firefox_for_android:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:126.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:124.2.0:*:*:*:*:*:*:*
http://www.mozilla.org/en-US/security/advisories/mfsa2024-29/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Buffer overflow
EUVDB-ID: #VU94628
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6615
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 120.0 - 127.0
Mozilla Firefox: 120.0 - 127.0.2
CPE2.3- cpe:2.3:a:mozilla:firefox_for_android:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:126.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:124.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0:*:*:*:*:*:*:*
http://www.mozilla.org/en-US/security/advisories/mfsa2024-29/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Infinite loop
EUVDB-ID: #VU94626
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6613
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to alter trace data,
The vulnerability exists due to infinite loop. The frame iterator could get stuck in a loop when encountering certain wasm frames leading to incorrect stack traces.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 120.0 - 127.0
Mozilla Firefox: 120.0 - 127.0.2
CPE2.3- cpe:2.3:a:mozilla:firefox_for_android:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:126.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:124.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0:*:*:*:*:*:*:*
http://www.mozilla.org/en-US/security/advisories/mfsa2024-29/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Security features bypass
EUVDB-ID: #VU94625
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6612
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass CSP protection mechanism.
The vulnerability exists due to CSP violation leakage when using devtools. CSP violations generated links in the console tab of the developer tools, pointing to the violating resource. This caused a DNS prefetch which leaked that a CSP violation happened.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 120.0 - 127.0
Mozilla Firefox: 120.0 - 127.0.2
CPE2.3- cpe:2.3:a:mozilla:firefox_for_android:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:126.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:124.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0:*:*:*:*:*:*:*
http://www.mozilla.org/en-US/security/advisories/mfsa2024-29/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU94620
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6607
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to the way the browsers handles escape button and pointerlock. It was possible to prevent a user from exiting pointerlock when pressing
escape
and to overlay customValidity notifications from a <select> element over certain
permission prompts. This could be used to confuse a user into giving a site unintended permissions.
Install updates from vendor's website.
Vulnerable software versionsFirefox for Android: 120.0 - 127.0
Mozilla Firefox: 120.0 - 127.0.2
CPE2.3- cpe:2.3:a:mozilla:firefox_for_android:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:126.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:124.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0:*:*:*:*:*:*:*
http://www.mozilla.org/en-US/security/advisories/mfsa2024-29/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Unimplemented or Unsupported Feature in UI
EUVDB-ID: #VU94623
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6610
CWE-ID:
CWE-447 - Unimplemented or Unsupported Feature in UI
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error in form validation popups. A remote attacker can spam form validation messages to prevent users from exiting full-screen mode.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 120.0 - 127.0
Mozilla Firefox: 120.0 - 127.0.2
CPE2.3- cpe:2.3:a:mozilla:firefox_for_android:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:126.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:124.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0:*:*:*:*:*:*:*
http://www.mozilla.org/en-US/security/advisories/mfsa2024-29/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Information disclosure
EUVDB-ID: #VU94624
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6611
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to SameSite=Strict or Lax cookies could be sent to a nested iframe. A remote attacker can gain access to potentially sensitive information.
Install updates from vendor's website.
Vulnerable software versionsFirefox for Android: 120.0 - 127.0
Mozilla Firefox: 120.0 - 127.0.2
CPE2.3- cpe:2.3:a:mozilla:firefox_for_android:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:126.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:124.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0:*:*:*:*:*:*:*
http://www.mozilla.org/en-US/security/advisories/mfsa2024-29/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Insufficient UI Warning of Dangerous Operations
EUVDB-ID: #VU94621
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-6608
CWE-ID:
CWE-357 - Insufficient UI Warning of Dangerous Operations
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to an error when handling cursor and pointerlock. It was possible to move the cursor using pointerlock from an iframe. This allowed moving the cursor outside of the viewport and the Firefox window.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFirefox for Android: 120.0 - 127.0
Mozilla Firefox: 120.0 - 127.0.2
CPE2.3- cpe:2.3:a:mozilla:firefox_for_android:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:126.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:124.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0:*:*:*:*:*:*:*
http://www.mozilla.org/en-US/security/advisories/mfsa2024-29/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Type Confusion
EUVDB-ID: #VU97413
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-7652
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error in the ECMA-262 specification relating to Async Generators. A remote attacker can trick the victim into visiting a specially crafted website, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMozilla Firefox: 100.0 - 127.0.2
Firefox ESR: 102.0 - 115.12.0
Firefox for Android: 100.1.0 - 127.0
CPE2.3- cpe:2.3:a:mozilla:firefox_esr:115.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_esr:102.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:mozilla_firefox:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:127.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:126.0:*:*:*:*:*:*:*
- cpe:2.3:a:mozilla:firefox_for_android:124.2.0:*:*:*:*:*:*:*
http://bugzilla.mozilla.org/show_bug.cgi?id=1901411
http://github.com/tc39/ecma262/security/advisories/GHSA-g38c-wh3c-5h9r
http://www.mozilla.org/security/advisories/mfsa2024-29/
http://www.mozilla.org/security/advisories/mfsa2024-30/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
